Timehop’s database breached compromising data of 21 million users

Timehop’s database breached compromising data of 21 million users

Credit Timehop

However, Timehop has also attracted the attention of some unwanted guests as the company announced this weekend that someone broke into its network on July 4.

The good news is that it appears none of your social media posts or photos were obtained - the company deletes this data after you have viewed it. Timehops also says there is no evidence that the hackers gained access to any accounts.

The company said names, email addresses, and some phone numbers for the 21 million users were lifted.

Timehop stressed that private messages, financial data, social media content, and Timehop data were compromised.

Timehop has already invalidated all the access tokens it had on file, effectively disconnecting every Timehop account from every service and preventing any more harm being done.

Astonishingly, the attack was possible because Timehop didn't itself use 2FA for its cloud computing login! In past attacks, hackers have ported numbers to their own account in order to obtain 2FA messages which can be used to access other accounts, including online banking services. Timehop has "deactivated these keys so they can no longer be used by anyone - so you'll have to re-authenticate to our App".

Alarmingly, the company said data thieves could access Timehop's "access tokens" which allow its app to show people old social media posts from services such as Facebook and Instagram.

Neither Timehop nor Facebook immediately responded to requests for comment.

Teen Arrested in Iran Over Instagram Dancing Videos
Dozens of Iranian women have flooded social media with videos of themselves dancing in solidarity with an arrested Instagram star. In one video, she spoke about the history of parkour, an outdoor activity popular in Iran , and about women practitioners.


The breach also led to a loss of access tokens that the service uses to access users' posts on other social networks.

"We have now taken steps that include multifactor authentication to secure our authorisation and access controls on all accounts", the blog post said. But prior to that its Twitter account was only noting that some "unscheduled maintenance" might be causing problems for users accessing the app... "But this employee was here for so long, from back when we were just a baby company, so it seems something got overlooked", he adds.

The company said it is now working with law enforcement and cyber-security firms to track down the intruders and secure its infrastructure.

Breach reporting requirements are baked into Europe's recently updated data protection framework, the GDPR, which puts the onus firmly on data controllers to disclose breaches to supervisory authorities - and to do so quickly - with the regulation setting a universal standard of within 72 hours of becoming aware of it (unless the personal data breach is unlikely to result in "a risk to the rights and freedoms of natural persons").

The company said it has notified all European Union users in accordance with the new General Data Protection Regulation, or GDPR.

Because Timehop is a free service, no payment information was affected by the data breach.

Most of the data included user names and email addresses.

Latest News